Reviewing Deployment Prerequisites
In order to deploy ArcSight capabilities on AWS, the user requires an active AWS subscription, as well a properly configured IAM user account.
Installation of ArcSight Suite is performed under the local IAM user. If you do not have a local IAM user, ask your AWS administrator to create a user for you and assign the required IAM policies as described below.
Reviewing the Minimal Permissions for IAM User
Access to various AWS resources is controlled by permissions assigned to the IAM user. For easier management, you can create a policy holding the minimal set of permissions required to complete tasks in this guide. The policy must contain the following permissions.
JSON file for required permissions
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"route53:*",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateAccessKey",
"iam:CreateInstanceProfile",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeleteAccessKey",
"iam:DeleteInstanceProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccessKeyLastUsed",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetServiceLastAccessedDetails",
"iam:GetServiceLastAccessedDetailsWithEntities",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroupPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListMFADevices",
"iam:ListOpenIDConnectProviders",
"iam:ListPolicies",
"iam:ListPoliciesGrantingServiceAccess",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListSAMLProviders",
"iam:ListSSHPublicKeys",
"iam:ListServerCertificates",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUserTags",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"acm:*",
"autoscaling:*",
"cloudformation:*",
"ec2:*",
"ecr:*",
"eks:*",
"elasticfilesystem:*",
"elasticloadbalancing:*",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"sns:ListSubscriptions",
"sns:ListTopics",
"ssm:DescribeActivations",
"ssm:DescribeAssociation",
"ssm:DescribeAssociationExecutionTargets",
"ssm:DescribeAssociationExecutions",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:DescribeAvailablePatches",
"ssm:DescribeDocument",
"ssm:DescribeDocumentParameters",
"ssm:DescribeDocumentPermission",
"ssm:DescribeEffectiveInstanceAssociations",
"ssm:DescribeEffectivePatchesForPatchBaseline",
"ssm:DescribeInstanceAssociationsStatus",
"ssm:DescribeInstanceInformation",
"ssm:DescribeInstancePatchStates",
"ssm:DescribeInstancePatchStatesForPatchGroup",
"ssm:DescribeInstancePatches",
"ssm:DescribeInstanceProperties",
"ssm:DescribeInventoryDeletions",
"ssm:DescribeMaintenanceWindowExecutionTaskInvocations",
"ssm:DescribeMaintenanceWindowExecutionTasks",
"ssm:DescribeMaintenanceWindowExecutions",
"ssm:DescribeMaintenanceWindowSchedule",
"ssm:DescribeMaintenanceWindowTargets",
"ssm:DescribeMaintenanceWindowTasks",
"ssm:DescribeMaintenanceWindows",
"ssm:DescribeMaintenanceWindowsForTarget",
"ssm:DescribeOpsItems",
"ssm:DescribeParameters",
"ssm:DescribePatchBaselines",
"ssm:DescribePatchGroupState",
"ssm:DescribePatchGroups",
"ssm:DescribePatchProperties",
"ssm:DescribeSessions",
"ssm:GetAutomationExecution",
"ssm:GetCommandInvocation",
"ssm:GetConnectionStatus",
"ssm:GetDefaultPatchBaseline",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetInventory",
"ssm:GetInventorySchema",
"ssm:GetMaintenanceWindow",
"ssm:GetMaintenanceWindowExecution",
"ssm:GetMaintenanceWindowExecutionTask",
"ssm:GetMaintenanceWindowExecutionTaskInvocation",
"ssm:GetMaintenanceWindowTask",
"ssm:GetManifest",
"ssm:GetOpsItem",
"ssm:GetOpsSummary",
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath",
"ssm:GetPatchBaseline",
"ssm:GetPatchBaselineForPatchGroup",
"ssm:GetServiceSetting",
"ssm:ListAssociationVersions",
"ssm:ListAssociations",
"ssm:ListCommandInvocations",
"ssm:ListCommands",
"ssm:ListComplianceItems",
"ssm:ListComplianceSummaries",
"ssm:ListDocumentVersions",
"ssm:ListDocuments",
"ssm:ListInstanceAssociations",
"ssm:ListInventoryEntries",
"ssm:ListResourceComplianceSummaries",
"ssm:ListResourceDataSync",
"ssm:ListTagsForResource",
"ssm:PutConfigurePackageResult"
],
"Resource":"*"
}
]
}
Tools
The AWS CLI (v2) and jq tools must be installed on the local host.
AWS CLI is a unified tool to manage AWS services. If it is not already installed, then install and configure the AWS CLI (version 2) tool for your platform. All references to CLI in this guide refer to the AWS CLI version 2 interface.
- Amazon provides the instructions for installing AWS CLI.
- After installation, configure the
AWS CLIto properly authenticate and connect to AWS as described in Configuring AWS CLI.
jq is a lightweight and flexible open-source command-line JSON processor.
- You can download the
jqbinaries from thejqhomepage.
Configuring the Local Host
To configure a local host:
You can configure and use any local host which has Internet access for the initial steps in setting up your deployment environment. Later, you will create a bastion instance, and use the bastion to perform the installation, as well as to access the cluster after installation.
Kubernetes Requirements:
Using the AWS Deployment Worksheet
To use the worksheet:
The process of setting up an AWS deployment environment will require configuration of many AWS resources. As a result, you will need convenient access to important details of these resources, such as resource names, IP addresses, settings for AWS entities, and so on, which you will determine during the setup process.
For ease of reference, it's strongly recommended that you print out and use the AWS worksheet to record the details of your configuration. The procedures given here assume you will be using the worksheet for reference and will note when particular details should be recorded.
Next Step: Creating the Virtual Private Cloud (VPC)